Vulnerability Development mailing list archives
Re: MSIE integer overflows
From: "Berend-Jan Wever" <SkyLined () edup tudelft nl>
Date: Thu, 15 May 2003 00:59:51 +0200
Yes: -- i=32*256*256*256*256*256*256*256; a=i; b=i+1; alert(a+'=='+b+' evaluates to '+(a==b)); -- evaluates to true Berend-Jan Wever ----- Original Message ----- From: "xenophi1e" <oliver.lavery () sympatico ca> To: <vuln-dev () securityfocus com> Sent: Wednesday, May 14, 2003 19:02 Subject: Re: MSIE integer overflows
In-Reply-To: <004e01c319fb$7ec41050$0100a8c0@grotedoos>Not true: "++i" will increase i first and return the result of thatincreased i where "i++" will return i and then increase it:-- example.js --var i=1;document.write(++i); // prints 2, i=2;document.write(i++); // prints 2, i=3;-- cut here --Yes, of course. Again, I'm talking about C here, simply because I don't know JS to this level of detail. But... document.write((i==++i) + ' ' + (i==++i) + '<BR>'); Seems like ambiguous code that might rely on unspecified behaviours. Postincrement and preincrement are gotchas in C. For example the following code: i = 2; printf ("%d", i++ * i++); Often does not print 6 as you might think, but rather prints 4. The reason is that the postincrement operator increments the values before the next sequence point, not necessarily the next _operation_. I was just pointing out that using expressions like i == ++i s eems a bit suspect. I'm not certain, but I believe a C compiler is free to do both increments prior to the rest of the expression. It does seem like it should always be a tautology, though. Do you get the same results if you write the same code less ambiguously? Cheers, ~ol
Current thread:
- MSIE integer overflows Berend-Jan Wever (May 12)
- <Possible follow-ups>
- Re: MSIE integer overflows xenophi1e (May 13)
- Re: MSIE integer overflows Berend-Jan Wever (May 14)
- Re: MSIE integer overflows Luciano Miguel Ferreira Rocha (May 15)
- Re: MSIE integer overflows Berend-Jan Wever (May 14)
- Re: MSIE integer overflows xenophi1e (May 14)
- Re: MSIE integer overflows Berend-Jan Wever (May 15)
- RE: MSIE integer overflows Cameron Brown (May 16)
- Re: MSIE integer overflows Berend-Jan Wever (May 15)
- Re: MSIE integer overflows xenophi1e (May 16)